1. Field of the Invention
The present invention relates to a communication data freshness confirmation system for use in a communication device having a sleep state, to confirm data freshness after recovery from the sleep state as a defense against replay attacks.
2. Description of the Related Art
A replay attack is a form of network attack in which a cyber attacker intercepts transmitted data and maliciously resends the intercepted data, fooling the receiving device into treating the resent data as newly created communication data. Such replay attacks cannot be defeated simply by use of a message authentication code encrypted with a shared encryption key, because the encrypted message authentication code is also resent, and will be correctly decrypted by the receiving device.
Three other methods, using counter values, timestamps, and responses to challenges, are often employed to defend against replay attacks. These methods will be briefly described with reference to FIG. 1. The symbol ‘∥’ in FIG. 1 indicates concatenation of data. MAC(X, Y) indicates a message authentication code generated by using input data X to operate on a data string Y. The input data X may be a communication key K, an initial vector, or one or more such items.
Counter methods are used in protocols that are now widely employed by wireless networks such as portable telephone networks and wireless local area networks (wireless LANs). In the illustrated method, the transmitting device 100 and receiving device 200 maintain separate and initially equal counter values. The transmitting device 100 places its transmitting (Tx) counter value, and a message authentication code derived from that counter value, in each data transmission or message. The receiving device 200 compares the received (Tx) counter value with its own reception (Rx) counter value. The message is considered fresh if the received counter value is equal to or greater than the reception counter value. The transmission and reception counter values are incremented after each message. A separate counter value is generally maintained for each communication partner or each communication key.
Methods based on timestamps confirm freshness replace the above counter values with time values and verify freshness by synchronization of clocks between the transmitting device 100 and receiving device 200. The clocks managed separately by the transmitting device 100 and receiving device 200 may be synchronized so that their time values match, or synchronization may be based on a relative time lag between the clocks. In either case, the synchronization process must include corrections for differences in the speeds at which the clocks run, and variations in those speeds. Accurate synchronization is difficult.
In the challenge-response method, the transmitting device 100 receives challenge information from the receiving device 200, and places data derived in part from the challenge information in a message transmitted in reply to demonstrate the freshness of the message. The challenge information is a random number or other unique information that does not duplicate previously created information.
In U.S. Pat. No. 7,552,476 (Japanese Patent Application Publication No. 2006-72970), Slick et al. propose another defense against replay attacks. The receiving device stores a list of unique codes generated by the transmitting device. When the transmitting device sends the receiving device a message, it places one of the unique codes in the message. The receiving device accepts only messages including a code that matches one of the unique codes in its stored list, and deletes the matching code from its list so that the same code cannot be used again.
In wireless sensor networks and other networks in which battery-operated communication devices must operate over long periods of time, it is also important to conserve power. One effective strategy is to place the wireless communication circuits in a sleep state while waiting to receive messages from other communication devices. Known devices have various sleep modes, in which parts of the device are shut down or the internal clock of the device is slowed or stopped. In the deepest sleep mode the internal clock is stopped and all internal power is cut off, including power to volatile memory circuits such as random access memory (RAM).
A communication device that enters a sleep state may therefore lose information needed for authenticating messages. For example, counter or time values stored in volatile memory may be lost. In the following description, two sleep states will be distinguished: a deep sleep state in which authentication information is lost, and a normal sleep state in which authentication information is not lost.
In the counter methods employed in the wireless network protocols used for mobile phones, wireless LANs, and the like, information that is updated at each data transmission is often stored in RAM to provide high speed access. A communication device that has entered a normal sleep state can read the latest value of a counter it was maintaining from its own RAM after waking up, but if the device goes into a deep sleep, when it later resumes normal operation, the counter value stored in RAM will have been lost. The communication device will then have no way to tell whether data are fresh or not, and when it receives new data from a communication partner, it will be unable to confirm that it is not experiencing a replay attack.
This problem can be solved by storing counter values and other necessary authentication information in a non-volatile memory, but in general there is a limit to the number of times the data stored in a non-volatile memory can be erased and rewritten. Therefore, non-volatile memories cannot be used to store frequently updated authentication information such as counter values or lists of unused unique codes that would have to be rewritten each time the communication device was placed in the deep sleep state.
The timestamp method provides a possible solution if the timestamps are based on an external clock that continues to operate regardless of whether the communication device itself is in a sleep state or not. However, the difficult problem of synchronizing the external clocks used by different communication devices still remains.
The challenge-response method described above provides a more promising solution, because new challenges (e.g., random numbers) can be generated after recovery from a sleep state without having to store any information during the sleep period. In conventional challenge-response methods, however, a separate challenge must be issued for each message. When a communication device recovers from a deep sleep, it may have to transmit and receive a large number of messages. The large amount of accompanying challenge traffic consumes power at the transmitting and receiving devices and uses up network bandwidth resources.
There is a need for a freshness confirmation method that does not require authentication information to be stored in a non-volatile memory each time a communication device enters a sleep state, that does not require synchronization of clocks at different devices, that does not generate large quantities of additional traffic or consume extra power, and that can function efficiently in a variety of situations, including the following: transmission or reception of just one message upon recovery from the deep sleep state, followed immediately by a return to the deep sleep state; transmission of a burst of messages upon recovery from the deep sleep state, followed by a return to the deep sleep state; periodic transmission of messages after recovery from the deep sleep state, with the device being placed in the normal sleep state between messages, followed by a return to the deep sleep state when the periodic transmission has ended.